#268900 - 04/09/14 08:44 PM
Might be time to change your passwords
|
Old Hand
Registered: 05/29/10
Posts: 863
Loc: Southern California
|
A common encryption tool used to safeguard transmitted data has been breached. http://heartbleed.com/http://www.usatoday.com/story/tech/2014/04/09/heartbleed-five-questions/7501033/Some websites have implemented the fix, but not all. As I understand it (I'm not a systems programer); If the site is still vulnerable, all changing you passwords will do is allow an eavesdropper to capture your new password. Not vulnerable sites have been fixed and should have the passwords changed, and No SSL sites require no action. Though if you share a password/username with an affected site, it would be prudent to change it. https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt
_________________________
Hope for the best and prepare for the worst.
The object in life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane
|
Top
|
|
|
|
#268904 - 04/09/14 10:00 PM
Re: Might be time to change your passwords
[Re: Mark_R]
|
Old Hand
Registered: 06/03/09
Posts: 982
Loc: Norway
|
The breach has been fixed, but servers all over the world must install the latest versions of the OpenSSL software.
The breach can be compared to having top-notch security all over and around your house -- but if someone goes to the exact right location behind your garden shed and peeks into the gutter he can extract random pieces of information from the internal workings of the lock to your front door. Repeat this many times over and he will have enough information to replicate the keys to your house (and the code to deactivate your alarm.)
No doubt criminals all over the world are rushing to take advantage of this security flaw before all servers are upgraded. The smaller organisations with less resources will be the slowest to upgrade, and thus vulnerable for a longer time. Anyone seriously about internet security should have upgraded openSSL yesterday.
I've heard estimates that OpenSSL would be running on something like 60% of the servers on the internet.
What no one knows is: Has this flaw been known to criminals before the day before yesterday? If so, they've had ample time to snoop around and sniff out vital security information. If NO ONE with bad intend didn't know about this before... then we've been very lucky, to say the least. But even _*if*_ we are so lucky, criminals will surely be working like mad right now to build tools to extract as much as they can from the remaining servers that hasn't upgraded their openSSL software.
Edited by MostlyHarmless (04/09/14 10:02 PM)
|
Top
|
|
|
|
#268907 - 04/10/14 12:48 AM
Re: Might be time to change your passwords
[Re: Mark_R]
|
Crazy Canuck
Carpal Tunnel
Registered: 02/03/07
Posts: 3241
Loc: Alberta, Canada
|
Yes, change your passwords now, especially for the biggies (bank, eBay, credit card, online trading account, anything that can cost you serious money or trouble, or delete important data, or facilitate identity theft). And probably change those passwords often until the dust settles.
This one is big. As an example, the Canada Revenue Agency (equivalent of the IRS in the US) shut down all online access this morning as a precaution. Three weeks before tax returns for the whole country are due.
It's unbelievable, disgusting, and grossly negligent that a gaping hole like this would be "in the wild" for two years.
|
Top
|
|
|
|
#268909 - 04/10/14 01:22 AM
Re: Might be time to change your passwords
[Re: dougwalkabout]
|
Carpal Tunnel
Registered: 08/03/07
Posts: 3078
|
It's unbelievable, disgusting, and grossly negligent that a gaping hole like this would be "in the wild" for two years. Your NSA tax dollars at work. The Cyber warfare must be getting pretty serious with the Russians for the NSA to throw away their ability to crack SSL in the last 2 years now that the Russians can exploit the same engineered vulnerabilities.
|
Top
|
|
|
|
#268911 - 04/10/14 01:44 AM
Re: Might be time to change your passwords
[Re: dougwalkabout]
|
Pooh-Bah
Registered: 03/13/05
Posts: 2322
Loc: Colorado
|
It's unbelievable, disgusting, and grossly negligent that a gaping hole like this would be "in the wild" for two years. Windows has been in the wild a lot longer. Since 1985. It is not easy to exploit this OpenSSL bug. In fact, I don't think there are any reported cases of it ever having been exploited. It's been fixed for a while already. I believe immediately after it was fist found, it was fixed, and new software was available for immediate installation. I am a LOT more worried about some hacker getting into a merchants database and stealing data in bulk. That method is preferred by hackers, because they get so much more data for their efforts. They aren't going for the "small potatoes" of trying to intercept individual transactions going across the internet so much anymore. The NSA is doing that, but not the hackers trying to steal your information.
|
Top
|
|
|
|
#268912 - 04/10/14 03:16 AM
Re: Might be time to change your passwords
[Re: Mark_R]
|
Sheriff
Carpal Tunnel
Registered: 12/03/09
Posts: 3842
Loc: USA
|
The following is a public service announcement from your local neighborhood network security engineer.
Never, ever, re-use passwords across multiple services. If you use the same password at your bank that you do anywhere else, once that password is compromised all the associated services will be compromised.
Some vulnerabilities can be mitigated by using strong passwords. A strong password is at least 12 characters long, contains at least one of each type of character (upper and lower case letters, digits and symbols), and makes no word in English or any other language. I use a secure password database and randomly generated complex passwords. If you must come up with a memorable strong password, create a sentence such as: "Doug Ritter runs the best forum on the Internet, especially for a knife guy." That sentence could be the mnemonic for a password like "DRrt^f0tI,efakg"
Other vulnerabilities, such as Heartbleed, cannot be mitigated by using strong passwords. That's why it's so important to use different passwords everywhere.
One more thing about Heartbleed. If you run a service affected by it, replace your SSL certs and keys after patching the vulnerability. If a service you use is affected by it, change your passwords after the service you use patches the vulnerability.
|
Top
|
|
|
|
#268913 - 04/10/14 03:20 AM
Re: Might be time to change your passwords
[Re: haertig]
|
Sheriff
Carpal Tunnel
Registered: 12/03/09
Posts: 3842
Loc: USA
|
It is not easy to exploit this OpenSSL bug. In fact, I don't think there are any reported cases of it ever having been exploited. It's been fixed for a while already. I believe immediately after it was fist found, it was fixed, and new software was available for immediate installation. I'm afraid you're incorrect. This vulnerability is being exploited in the wild. In addition to other reports one of my customers was hit by it. Also, the fix for this was released on April 7th. Unfortunately OpenSSL is a library, not a full product. What that means is that many, many products that use OpenSSL must be patched to use an unaffected version before the problem is truly solved. Everything passing across an SSL/TLS link connected to an affected service should be considered compromised, including user credentials.
|
Top
|
|
|
|
#268916 - 04/10/14 03:45 AM
Re: Might be time to change your passwords
[Re: Mark_R]
|
Pooh-Bah
Registered: 04/01/10
Posts: 1629
Loc: Northern California
|
It's about time for me to get off my ass and finally implement better password security. I have about 100 computer-related logins that require a password. So, I need to think of a system that doesn't repeat a password but allows me to memorize at the same time. This is a daunting task.
_________________________
If you're reading this, it's too late.
|
Top
|
|
|
|
#268918 - 04/10/14 05:06 AM
Re: Might be time to change your passwords
[Re: ireckon]
|
Sheriff
Carpal Tunnel
Registered: 12/03/09
Posts: 3842
Loc: USA
|
It's about time for me to get off my ass and finally implement better password security. I have about 100 computer-related logins that require a password. So, I need to think of a system that doesn't repeat a password but allows me to memorize at the same time. This is a daunting task. That worked for me in the early '90s. You need to get yourself an encrypted password database.
|
Top
|
|
|
|
#268920 - 04/10/14 06:20 AM
Re: Might be time to change your passwords
[Re: chaosmagnet]
|
Pooh-Bah
Registered: 03/13/05
Posts: 2322
Loc: Colorado
|
Here is how I do my passwords: I start out with something that I have bought recently that is easy to remember: I rearrange that a little, still easy to remember (notice everything is lowercase now): I replace letters/numbers with their "equivalent". e.g., e with 3, s with 5, a with 8, l with 1, o with 0, etc. I do it both ways ... so e with 3 and 3 with e. Then I alternate holding the <shift> key down to capitalize every other keystroke: I look at the end result and if it doesn't look random enough, or doesn't end up with upper and lower case letters, digits, and punctuation, I buy something else (yeah!) and start over. I end up with very strong passwords this way. And they're easy to remember. I should say, the passwords themselves are NOT easy to remember, but the sequence of steps to generate the password from my example seed phrase ".357rugermag" is easy to remember. And the seed phrase is itself easy to remember because it represents some cool item that I recently bought for myself. The downside to this is that I cannot tell anyone else my password. I cannot even sit down and write it on a piece of paper. I have to have a normal QWERTY keyboard in front of me so I can visually see things as I hunt-and-peck the keys while alternating "shift key up, shift key down, shift key up..." This is how I do the passwords for stuff that I really need to be secure. But for passwords for the less critical stuff, say for my login here on ETS, I use simpler passwords. I have lots and lots of these less secure, but still decent quality, passwords. Since I can't remember them all in my head, I store them in the "KeePass" application. I have that for Linux, my Android phone, and Windows. I assume KeePass might be available for iPhone and MAC's too, but I don't know for sure. The encrypted database for KeePass is copied transparently between all my devices. Each shopping_website/bank/etc. that needs to be secure has its own password - they are never the same password shared between sites. But I will admit, for some of the internet forums I visit, like ETS, I occasionally use the same password. That is because the ramifications of somebody hacking my ETS forum account are pretty minor.
|
Top
|
|
|
|
|
|
|
|
|
|
1
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
9
|
10
|
11
|
12
|
13
|
14
|
15
|
16
|
17
|
18
|
19
|
20
|
21
|
22
|
23
|
24
|
25
|
26
|
27
|
28
|
29
|
30
|
|
0 registered (),
915
Guests and
1
Spider online. |
Key:
Admin,
Global Mod,
Mod
|
|
|